An upgrade from ClamWin 0.94.1 to 0.95.1 (after complete uninstall of 0.94.1) produced four problem files in my Thunderbird e-mail folders. I checked the files against Jotti and VirusTotal, and only ClamAV found positives in both cases. Further, VirusTotal's ClamAV 0.94.1 only identified one of the suspect files as phishing whereas Jotti's ClamAV (I do not know the version) identified all as phishing. I know that ClamAV is a unix application but I do not know that there is not some correlation in the version numbers.

I sent all of my information except the files themselves (all contained sensitive information) to Luca at ClamAV because the problem seemed to arise from the upgrade to 0.95.1, a version stated to reduce false positives.

I reviewed this forum and found that I can filter out the suspect pathways from further scan in ClamWin/tools/preferences/filters/Exclude Matching Filenames, and I tried to apply the method in this way: <C>, but files in subfolders in that pathway still turned up in a subsequent scan. I next tried <C> (no period before *) with the same results.

How am I misapplying this technique and is there a better way to get ClamWin to ignore the identified phishing files?

Is there a problem with ClamWin 0.95.1 that will shortly produce an update?

Thanks in advance for any help or direction, Mike

GuitarBob

Joined: 09 Jul 2006

Posts: 4410

Location: USA

Posted: Thu Apr 30, 2009 3:22 pm

I've never used ClamWin on email, but as I understand it, the ClamWin exclusions do not work on scans of individual files. This may come in to play in your situation.

Clam's version .95 (and ClamWin's port of it of course) has some additional detection functionality that makes it more sensitive than prior versions--especially in detecting virus families. They did not get enough beta testers for version .95 and have already done a version .95.1 cleanup. Also, they have lots of files to check each signature against for false positives before it is released; however, they need more Windows files. Clam's user base is still basically composed of Linux email servers, and they do a good job of supporting that base. That base isn't very concerned with Windows/Office files. Unfortunately, ClamWin is dependent upon Clam.

Regards,

mikee99

Joined: 30 Apr 2009

Posts: 9

Location: WV

Posted: Fri May 01, 2009 11:23 am

Hi GuitarBob,

Thanks for your response.

I understand the need for files to analyze, but the files in question are under confidentiality restraints, and I do not believe the open source investigators are ready to help shoulder my confidentiality burdens.

I am not talking about scanning individual files, but ordering a scan on the entire hard drive and controlling whether ClamWin looks down certain pathways. I would like to get the e-mail paths that lead to the identified files excluded so there isn't so much to sort through when my daily searches take place and so I don't continually get e-mails for the same files which may be false positives.

How do I properly use the <C> filter in ClamWin/tools/preferences/filters/Exclude Matching Filenames (my exact syntax was filtered out before posting, I do not know why)?

Is there a better way to control ClamWin in my instance?

Is ClamAV 0.95.1 now more sensitive to phishing e-mails than the forty-odd vendors used on Jottie and VirusTotal? (in other words, do I have a real problem?)

GuitarBob

Joined: 09 Jul 2006

Posts: 4410

Location: USA

Posted: Fri May 01, 2009 12:38 pm

I don't think Clam is any more sensitive to phishing signatures now. Many phishers take great pains to make their phishing emails look ordinary. They are also getting better at spelling, so now and then you can get a sig that is the same as a "good" email.

As I said, I can't help much with using ClamWin for email. As for syntax, here's how I exclude the quarantine folder from my scans as an example:

C:\Documents and Settings\All Users\.clamwin\quarantine\*

Regards.

Anthony of Queens

Joined: 07 May 2009

Posts: 4

Location: USA

Posted: Thu May 07, 2009 2:04 am

Greetings All,

I too since upgrading to clamwin 0.95.1 am having the exact same symptoms namely various phishing and other spoofed errors in mozilla email.

Like Mike(99) I tried the various filters to no avail. I found no configuration parameters that would selectively not scan the mozilla email folder locations.

This is my first post as a new member. Thank you for your support and hope. Anthony

Problem persists

mikee99

Joined: 30 Apr 2009

Posts: 9

Location: WV

Posted: Thu May 07, 2009 10:01 am

Hi all,

I tried Guitar Bob's wildcard exclusion, and I tried copying the path as reported in ClamWin into the exclusion window inside <>, both to no avail.

It appears that I don't understand how to use the file exclusion box, or that it doesn't work. I don't have a next step at this point. Any additional help would be appreciated.

Mike

GuitarBob

Joined: 09 Jul 2006

Posts: 4410

Location: USA

Posted: Thu May 07, 2009 1:46 pm

Did you try this simple exclusion: filename.ext (example word.exe)? If that doesn't work, then perhaps a develper can help.

Regards,

Anthony of Queens

Joined: 07 May 2009

Posts: 4

Location: USA

Posted: Thu May 07, 2009 1:51 pm

Thank you for the updates.

I too confirmed I have added and am Exclude filters: *.msf and *.sbd. However, my mail folders "Business.sbd" continues to be scanned and found to contain culpable fishing and spoofed domain emails. This looks like it could be a very good and clean solution for avoiding these file types and therefore errors.

Also adding the following line to clamwin's "Additional clamscan parameters:" to the best of my knowledge continues to scan those folders to fine said culpable emails:

Thank you in advanced for your continued support of our helpful support forum. Anthony

Anthony of Queens

Joined: 07 May 2009

Posts: 4

Location: USA

Posted: Sun May 17, 2009 2:03 pm

Greetings all,

This last week's C:, D: and F: drive scans with the aforementioned exclusions and filters continue to produce said viruses.

I will monitor this discussion in hopes for upgrades and or fixes.

All the best, Anthony

mikee99

Joined: 30 Apr 2009

Posts: 9

Location: WV

Posted: Sun May 17, 2009 2:48 pm

Hi all,

Absent any idea why my syntax was ineffective in stopping ClamWin from scanning specific files or folders, I decided to try an exhaustive list of combinations in the hopes of stumbling over syntax that works. Below is a list of what I have tried so far on one phishing suspect:

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried Second:
<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried third:
<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried fourth:
<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried fifth:

<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried sixth:

<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried seventh:

<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried eigthth:

<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email. Absent any way to identify the offending files, parse out the files in progressively smaller folder sets until the offending file is identified.

I will post the results of this effort when I isolate the offending files. On the outside chance that the offending files are not confidential or contain secure information, who can I send them to for analysis?

Mike

mikee99

Joined: 30 Apr 2009

Posts: 9

Location: WV

Posted: Sun May 17, 2009 2:52 pm

Sorry about the posting, I forgot that my pathways would be removed by the moderator. In short, no amount of *.sbd, *, *., .*, *.*, *.default, etc worked in a <drive> scenario.

Mike

mikee99

Joined: 30 Apr 2009

Posts: 9

Location: WV

Posted: Mon May 18, 2009 10:43 am

Hi all,

I created subfolders for the suspect folders, and sorted the emails from the suspect folders into the appropriate subfolders. Three of the original folders were now empty, except for the subfolders. ClamWin still reported a phishing suspect in these folders, which might be reasonable because ostensibly the infected email was still in a lower part of the hierarchy, but in one case none of the subfolders was likewise indicated.

If ClamWin isn't misreporting where it finds the suspected files, then I think ClamWin is having trouble with Thunderbird's structure, not its contents. In either case it is tough for an outsider to work around this ClamWin issue.

It would be nice if there was some way to get ClamWin to report the entire path and final filename of the suspect email in Thunderbird.

mikee99

Joined: 30 Apr 2009

Posts: 9

Location: WV

Posted: Mon May 18, 2009 10:46 am

Guitar Bob,

You suggested in an earlier post that a developer could be of help here. I wrote to Luca with no response. How do we get a developer involved?

Mike

GuitarBob

Joined: 09 Jul 2006

Posts: 4410

Location: USA

Posted: Mon May 18, 2009 4:04 pm

The ClamWin developers look at these posts in the ClamWin forum as they get a chance and make note of important changes/improvements needed in ClamWin. I mentioned this so they might notice the problem. The free time they can devote to ClamWin is limited, however, so changes/improvements take some time, and they cannot address everything. Changes/improvements are usually made when Clam AV comes out with an upgrade, and they are incorporated with the Clam Linux port over to the Windows version of Clamwin.

Regards,

workaround

mikee99

Joined: 30 Apr 2009

Posts: 9

Location: WV

Posted: Wed May 20, 2009 10:26 am

Hi all,

This post is mostly for Anthony of Queens: I never found a way to make exclusions work, so I sorted the emails into continually smaller groups until I only had a dozen or so in a group, then either deleted or saved the group as pds, depending on the importance of the content. Some of the folders continued to produce phishing positives even though they were empty, so I either created a new folder with a slightly different name, transferred the contents, and then deleted the offending folder.

This will probably be my last post on this issue unless someone else pipes in to help.